southfox/Blog
1
0
Fork 0
mirror of https://github.com/SouthFox-D/SouthFox-D.github.io.git synced 2024-12-01 18:55:20 +01:00
Code Issues Projects Releases Packages Wiki Activity
Blog/2021/07/搭建无污染的DNS服务/index.html

304 lines
17 KiB
HTML
Raw Permalink Normal View History

GitHub action Auto Builder
2024-11-19 04:05:20 +01:00
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<title>搭建无污染的DNS服务 | Foxhole</title>
<meta name="author" content="SouthFox">
<meta name="description" content="DNS 作为互联网世界的电话簿,重要性不言而喻。但是平常使用时,默认情况都是在裸奔,非常不安全,劫持和污染处处存在,所以搭建一个自己放心的 DNS 服务还是有必要的……">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta property="og:title" content="2021/07/搭建无污染的DNS服务/">
<meta property="og:site_name" content="Foxhole">
<meta property="og:image" content="https://blog.southfox.me/favicon.png">
<link href="../../.././favicon.png" rel="icon">
<link rel="stylesheet" href="../../.././css/bootstrap.min.css" media="screen" type="text/css">
<link rel="stylesheet" href="../../.././css/style.css" media="screen" type="text/css">
<link rel="stylesheet" href="../../.././css/responsive.css" media="screen" type="text/css">
<link rel="stylesheet" href="../../.././css/highlight.css" media="screen" type="text/css">
<link rel="stylesheet" href="../../.././css/font-awesome.css" media="screen" type="text/css">
<script src="../../.././js/jquery-2.0.3.min.js"> async</script>
<meta name="generator" content="Hexo 6.2.0"><link rel="alternate" href="rss2.xml" title="Foxhole" type="application/rss+xml">
</head>
<body>
<nav id="main-nav" class="navbar navbar-inverse navbar-fixed-top" role="navigation">
<div class="container">
<button type="button" class="navbar-header navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="../../.././">Foxhole</a>
<div class="collapse navbar-collapse nav-menu">
<ul class="nav navbar-nav">
<li>
<a href="../../.././archives" title="All the articles.">
<i class=""></i>归档
</a>
</li>
<li>
<a href="../../.././categories" title="All the categories.">
<i class=""></i>分类
</a>
</li>
<li>
<a href="../../.././tags" title="All the tags.">
<i class=""></i>标签
</a>
</li>
<li>
<a href="../../.././rss2.xml" title="Subscribe me.">
<i class=""></i>RSS
</a>
</li>
<li>
<a href="../../.././friends" title="朋友们">
<i class=""></i>友链
</a>
</li>
<li>
<a href="../../.././foxsay" title="狐狸怎么叫?">
<i class=""></i>狐说
</a>
</li>
<li>
<a href="../../.././travellings" title="一群狼走得更远">
<i class="fas fa-subway"></i>开往
</a>
</li>
<li>
<a href="../../.././go" title="十年之约">
<i class="fas fa-bahai"></i>虫洞
</a>
</li>
</ul>
</div>
</div> <!-- container -->
</nav>
<div class="clearfix"></div>
<div class="container">
<div class="content">
<div class="page-header">
<h1> 搭建无污染的DNS服务</h1>
</div>
<div class="row post">
<!-- cols -->
<div id="top_meta"></div>
<div class="col-md-9">
<!-- content -->
<div class="mypage">
<p>DNS 作为互联网世界的电话簿,重要性不言而喻。但是平常使用时,默认情况都是在裸奔,非常不安全,劫持和污染处处存在,所以搭建一个自己放心的 DNS 服务还是有必要的……</p>
<span id="more"></span>
<h2 id="准备"><a href="#准备" class="headerlink" title="准备"></a>准备</h2><ul>
<li>VPS (国内延迟低、国外无阻碍,看取舍吧。有条件也可以用树莓派之类的)</li>
<li>coredns用于配置服务器的 Dns Over Tls 「dot」或 Dns Over Https 「doh」</li>
<li>dnsmasq用于转发 dns 请求)</li>
<li>pihole可选可以干掉追踪器和广告</li>
<li>dnsproxy将请求转发到其他加密 DNS 服务器上)</li>
</ul>
<h3 id="Coredns"><a href="#Coredns" class="headerlink" title="Coredns"></a>Coredns</h3><p>安卓自从 9 版本之后就内置了 Dns Over Tls 「dot」 配置,叫做 <code>私人DNS</code> ,这样进行配置就不用一个一个改 wifi 设定,同时还对蜂窝网络起效果,所以可以用 <code>CoreDNS</code> 来加密设备到服务器之间的请求……</p>
<p><code>CoreDNS</code> 同样使用 <code>Golang</code> 编写,仓库内提供了<a target="_blank" rel="noopener" href="https://github.com/coredns/coredns/releases">可执行程序</a><a target="_blank" rel="noopener" href="https://github.com/coredns/deployment/tree/master/systemd">systemd </a>文件,就算你的发行版没有提供 <code>CoreDNS</code> 的打包也可以自行写个服务。</p>
<p>配置如下:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">tls://.:853 &#123;</span><br><span class="line"> tls /etc/coredns/cert.crt /etc/coredns/cert.key</span><br><span class="line"> forward . 127.0.0.1:53</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>作用是将 853 端口的 dot 请求转发到 53 端口所运行的服务上……</p>
<p>证书用 <code>certbot</code> 申请,偷偷摸摸的用 853 ,国内的云服务商应该不会注意到(毕竟盯着的是 443 和 80 端口的情况多一点……吧)</p>
<h3 id="Pihole-(可选)"><a href="#Pihole-(可选)" class="headerlink" title="Pihole (可选)"></a>Pihole (可选)</h3><p><code>pihole</code> 的好处就是网页的控制面板很好用,看着面板中的统计数据将有非常大的满足感,除此之外就没有啥了。</p>
<p>如果不是全新机子的话,还是用 <code>docker-compose</code> 安装吧pihole 对于安装环境还是很挑剔的。</p>
<p>首先安装 <code>docker</code> 并启动,然后安装 <code>docker-compose</code> ,新建文件夹下新建 <code>docker-compose.yml</code> 文件,输入:</p>
<figure class="highlight dockerfile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">version: <span class="string">&quot;3&quot;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/</span></span><br><span class="line">services:</span><br><span class="line"> pihole:</span><br><span class="line"> container_name: pihole</span><br><span class="line"> image: pihole/pihole:latest</span><br><span class="line"> ports:</span><br><span class="line"> - <span class="string">&quot;53:53/tcp&quot;</span></span><br><span class="line"> - <span class="string">&quot;53:53/udp&quot;</span></span><br><span class="line"> - <span class="string">&quot;67:67/udp&quot;</span></span><br><span class="line"> - <span class="string">&quot;宿主机想开放的端口:下方配置 WEB_PORT 所写/tcp&quot;</span></span><br><span class="line"> environment:</span><br><span class="line"> TZ: <span class="string">&#x27;Asia/Shanghai&#x27;</span></span><br><span class="line"> WEBPASSWORD: <span class="string">&#x27;网页管理面板密码&#x27;</span></span><br><span class="line"> WEB_PORT: 需要开放的端口</span><br><span class="line"> PIHOLE_DNS_: <span class="string">&#x27;8.8.8.8&#x27;</span></span><br><span class="line"> ServerIP: <span class="string">&#x27;服务器 Ip&#x27;</span></span><br><span class="line"> <span class="comment">#VIRTUAL_HOST: &#x27;服务器访问管理面板域名&#x27;</span></span><br><span class="line"> <span class="comment">#DNSMASQ_USER: &#x27;pihole&#x27;</span></span><br><span class="line"></span><br><span class="line"> volumes:</span><br><span class="line"> - <span class="string">&#x27;./etc-pihole/:/etc/pihole/&#x27;</span></span><br><span class="line"> - <span class="string">&#x27;./etc-dnsmasq.d/:/etc/dnsmasq.d/&#x27;</span></span><br><span class="line"> <span class="comment"># Recommended but not required (DHCP needs NET_ADMIN)</span></span><br><span class="line"> <span class="comment"># https://github.com/pi-hole/docker-pi-hole#note-on-capabilities</span></span><br><span class="line"> cap_add:</span><br><span class="line"> - NET_ADMIN</span><br><span class="line"> restart: unless-stopped</span><br></pre></td></tr></table></figure>
<p>注意 <code>ServerIP</code><code>VIRTUAL_HOST</code> 要写对,要不然会被禁止访问……</p>
<h4 id="列表"><a href="#列表" class="headerlink" title="列表"></a>列表</h4><p>装了 pihole 要发挥最大的作用就得找一个优质的屏蔽列表。</p>
<p>可以使用 <a target="_blank" rel="noopener" href="https://github.com/privacy-protection-tools/anti-AD">anti-AD</a> ,能屏蔽国内大部分追踪器和广告地址,对于 pihole 的配置文件在 <a target="_blank" rel="noopener" href="https://anti-ad.net/domains.txt"></a></p>
<h3 id="Dnsmasq"><a href="#Dnsmasq" class="headerlink" title="Dnsmasq"></a>Dnsmasq</h3><p>打开配置文件,更改 <code>port</code> 监听端口, <code>server</code> 写上游 dns 地址(<code>:</code> 要用 <code>#</code> 代替)。</p>
<p>无日志的 <code>dot</code> , <code>doh</code> 服务器一般都是在国外,一般延迟都很糟糕,所以对于国内的域名来说访问延迟将会很大。可以用 <code>Dnsmasq</code> 搭配 <a target="_blank" rel="noopener" href="https://github.com/felixonmars/dnsmasq-china-list">dnsmasq-china-list</a> 项目,起到分流的作用,国内的常用域名送到国内的公共 DNS 服务解析,除此之外走加密的 DNS 服务。</p>
<p>不想装 <code>pihole</code> 的话,可以使用 <a target="_blank" rel="noopener" href="https://github.com/privacy-protection-tools/anti-AD">anti-AD</a> 项目里的 <a target="_blank" rel="noopener" href="https://anti-ad.net/anti-ad-for-dnsmasq.conf">anti-ad-for-dnsmasq.conf</a> 配置文件……</p>
<h3 id="Dnsproxy"><a href="#Dnsproxy" class="headerlink" title="Dnsproxy"></a>Dnsproxy</h3><p>转发到上游的 dot 、 doh 请求。</p>
<p>项目地址在 <a target="_blank" rel="noopener" href="https://github.com/AdguardTeam/dnsproxy">这里</a> ,而且似乎没有提供服务文件,所以得用 <code>screen</code> 挂着了。</p>
<p>基本上能用的 dot 、 doh 服务器被 <a target="_blank" rel="noopener" href="https://www.solidot.org/story?sid=67104"></a> 的差不多了,能用的 只有 <code>Cloudflare</code> 的了,如果对无日志不在意的话可以用腾讯云的 <code>dnspod</code></p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>到此,一个长长的 dns 链条就形成了:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">手机 -- dot 请求 --&gt; coredns --&gt; pihole -- 屏蔽或放行 --&gt; dnsmasq -- 分流 --&gt; 国内列表/列表外 --&gt; dnsproxy --&gt; dot/doh 服务器</span><br></pre></td></tr></table></figure>
<p>如果不贪恋 <code>pihole</code> 的控制面板的话,它的功能完全可以交给 <code>dnsmasq</code> 的。</p>
<p>只是没有控制面板的话,查误杀之类的事就会很麻烦……</p>
<p>搭好后应该使用抓包程序查看数据包,判断设备到服务器是否 套上了 tls ,服务器查看日志,看是否走了加密 dns 服务。</p>
</div>
<div>
<center>
<div class="pagination">
<a href="../../.././2021/09/Second-chance/" type="button" class="btn btn-default"><i
class="fa fa-arrow-circle-o-left"></i> 上一页</a>
<a href="../../.././" type="button" class="btn btn-default"><i class="fa fa-home"></i>主页</a>
<a href="../../.././2021/06/Peertube/" type="button" class="btn btn-default ">下一页<i
class="fa fa-arrow-circle-o-right"></i></a>
</div>
</center>
</div>
<!-- comment -->
<blockquote>如不想授权 Giscus 应用,也可以点击下方<strong>左上角数字</strong>直接跳转到 Github Discussions 进行评论。</blockquote>
<script src="https://giscus.app/client.js"
data-repo="SouthFox-D/SouthFox-D.github.io"
data-repo-id="MDEwOlJlcG9zaXRvcnkyMjg3NDM0MjQ="
data-category="博客评论"
data-category-id="DIC_kwDODaJZAM4CA7bf"
data-mapping="og:title"
data-reactions-enabled="0"
data-emit-metadata="0"
data-input-position="top"
data-theme="dark_dimmed"
data-lang="zh-CN"
crossorigin="anonymous"
async>
</script>
</div> <!-- col-md-9/col-md-12 -->
<div id="side_meta">
<div class="col-md-3" id="post_meta">
<!-- date -->
<div class="meta-widget">
<i class="fa fa-clock-o"></i>
2021-07-06
</div>
<!-- categories -->
<div class="meta-widget">
<a data-toggle="collapse" data-target="#categorys"><i class="fa fa-folder"></i></a>
<ul id="categorys" class="tag_box list-unstyled collapse in">
<li>
<li><a href="/categories/技术/">技术<span>18</span></a></li>
</li>
</ul>
</div>
<!-- tags -->
<div class="meta-widget">
<a data-toggle="collapse" data-target="#tags"><i class="fa fa-tags"></i></a>
<ul id="tags" class="tag_box list-unstyled collapse in">
<li><a href="/tags/技术/">技术<span>14</span></a></li> <li><a href="/tags/DNS/">DNS<span>1</span></a></li>
</ul>
</div>
<!-- toc -->
<div class="meta-widget">
<a data-toggle="collapse" data-target="#toc"><i class="fa fa-bars"></i></a>
<div id="toc" class="toc collapse in">
<span class="toc-title">目录</span>
<ol class="toc-article"><li class="toc-article-item toc-article-level-2"><a class="toc-article-link" href="#%E5%87%86%E5%A4%87"><span class="toc-article-text">准备</span></a><ol class="toc-article-child"><li class="toc-article-item toc-article-level-3"><a class="toc-article-link" href="#Coredns"><span class="toc-article-text">Coredns</span></a></li><li class="toc-article-item toc-article-level-3"><a class="toc-article-link" href="#Pihole-%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%89"><span class="toc-article-text">Pihole (可选)</span></a><ol class="toc-article-child"><li class="toc-article-item toc-article-level-4"><a class="toc-article-link" href="#%E5%88%97%E8%A1%A8"><span class="toc-article-text">列表</span></a></li></ol></li><li class="toc-article-item toc-article-level-3"><a class="toc-article-link" href="#Dnsmasq"><span class="toc-article-text">Dnsmasq</span></a></li><li class="toc-article-item toc-article-level-3"><a class="toc-article-link" href="#Dnsproxy"><span class="toc-article-text">Dnsproxy</span></a></li></ol></li><li class="toc-article-item toc-article-level-2"><a class="toc-article-link" href="#%E6%80%BB%E7%BB%93"><span class="toc-article-text">总结</span></a></li></ol>
</div>
</div>
<hr>
</div><!-- col-md-3 -->
</div>
</div><!-- row -->
</div>
</div>
<div class="container-narrow">
<footer> <p>
&copy; 2024 SouthFox
Font by <a href="https://github.com/SolidZORO/zpix-pixel-font" target="_blank">Zpix</a>,
Theme by <a href="https://github.com/blackshow/hexo-theme-freemind.386" target="_blank">Freemind.386</a>. <br> <a href="../../.././Privacy-Policy" target="_blank">隐私政策</a>
</p>
</footer>
</div> <!-- container-narrow -->
<a id="gotop" href="#">
<span>TOP</span>
</a>
<script src="../../.././js/jquery.imagesloaded.min.js"></script>
<!-- <script src="../../.././js/gallery.js"></script> -->
<script src="../../.././js/bootstrap.min.js"></script>
<script src="../../.././js/main.js"></script>
<script src="../../.././js/search.js"></script>
<script src="../../.././js/cursor-effects.js"> async</script>
</body>
</html>
Reference in a new issue Copy permalink